Microsoft Admits Zero-Day Aided Google Attackers

Microsoft officials acknowledged that widely publicized attacks on Google and perhaps another 20 or more corporations were helped by a previously unknown zero-day vulnerability in most versions of its popular browser.

Thursday, Microsoft (NASDAQ: MSFT) released a Security Advisory, warning customers of the Internet Explorer breach and providing workarounds that basically call for cranking security in the browser up to 11.

“Based upon our investigations, we have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google (NASDAQ: GOOG) and possibly some 20 other corporate networks,” a post on the Microsoft Security Response Center blog said.

The post coincided with a blog post by McAfee CTO George Kurtz, stating that the antivirus firm had found IE had been used in the attacks and had informed Microsoft of its findings.

Microsoft’s Security Advisory confirmed that the security flaw used in some of the attacks exists in all supported combinations of IE and Windows except for IE 5.01 running on Windows 2000 Service Pack 4 (SP4).

Affected systems include IE 6, 7, and 8 running on Windows 2000 SP4 through XP, Windows Server, Vista, and Windows 7. It also includes both 32 and 64-bit releases of those operating systems.

“We are cooperating with Google and other companies, as well as authorities and other industry partners,” the Microsoft blog post continued.

News of the attacks surfaced earlier this week when Google revealed that its search servers for the China market had been attacked.

Change security settings

In the hands of a malicious attacker, the undisclosed bug could be used to completely compromise a user’s PC if he or she, for example, clicked on a booby-trapped link in an e-mail or instant message. In its advisory, Microsoft published temporary workarounds for the flaw, including setting the security for IE’s Internet and Local Intranet zones to high, and disabling active scripting in those zones.

“At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer,” the advisory said.

A Microsoft spokesperson said the company is working on a patch.

Microsoft’s Security Advisory is available online.

Stuart J. Johnston is a contributing writer at InternetNews.com, the news service of Internet.com, the network for technology professionals.

News Around the Web